Hi Guys, My auditd server is getting overwhelm by the logs that it is getting. I've configured a remote audit logging via audisp-plugin. Earlier I tried to reduce the amount of logs by optimizing the audit rules. But we want to reduce it further. Here's the list of things that I can think to reduce the overwhelming of logs further: 1. Increase kernel buffer for auditd from 20480 (current) to 99999. 2. Increase the priority of auditd process. Currently 'priority_boost = 10'. Default is 4. I don't know the maximum value (though I've seen someone using 12). Can anyone tell me what's the maximum priority I can give? 3. Optimize the audit messages further: a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from being audited. This can be done with following rule (Thanks to Steve!): -a exit,never -F path=/etc/sysconfig/bash-prompt-xterm b. Exclude specific processes by their PIDs. This will be tricky as we will need to keep track of PIDs incase of process start/stop/restart etc.
Any other idea that I'm missing on this list? Is it possible to filter the messages based on message pattern matching (like syslog)? Any help will be much appreciated. -- -Rathor -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
